Encryption positions harden

With help from Joseph Marks, David Perera, Alex Byers and Josh Gerstein

THE POST-PARIS ENCRYPTION DEBATE — If the Paris terrorist attacks stirred a moribund debate on mandating backdoors in encrypted communications, the bloodshed doesn’t seem to have changed anyone’s opinion. European officials have suggested the attackers used encrypted messaging apps to conceal their plotting but have yet to offer any evidence. Asked Monday whether the attacks will reopen the debate, senators clung to their established opinions.

Story Continued Below

“Of course privacy is important, but so is the rule of law,” said Chuck Grassley. “Technology exists today that allows terrorists and criminals to communicate in the shadows, using encryption that makes it impossible for law enforcement or national security authorities to do everything they can to protect Americans.” Dianne Feinstein pointed to ISIL’s use of "apps to communicate on that cannot be pierced, even with a court order,” during an interview on MSNBC. It gives them a "secret way of being able to conduct operations and operational planning," she said. Ron Wyden reaffirmed his position by noting that requiring “U.S. companies to build less secure products won't stop terrorists from using encrypted communications or put an end to terrorist attacks." He added that "undermining strong encryption would be an enormous gift to foreign hackers, and would have serious negative consequences for U.S. cybersecurity."

House members, meanwhile, will get a classified briefing on Paris today from Homeland Security Secretary Jeh Johnson and FBI Director James Comey, at the request of Speaker Paul Ryan.

— ADMINISTRATION ANSWERS: CIA Director John Brennan drew a direct connection between encrypted communications and intelligence failures leading up to the Paris attacks. "There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need," he said Monday at the Center for Strategic and International Studies.

Attorney General Loretta Lynch, meanwhile, said a few hours later that the government hopes the private sector can help unlock what seems like the policy equivalent of a Rubik’s Cube. “For us, this is an issue which we recognize not only the importance of encryption but the need to do everything we can to protect the American people and as we’ve stated we are pursuing a number of options,” she said. “We’re in discussions with industry looking for ways in which they can lawfully provide us information while still preserving privacy.”

— BUSH, RUBIO GO META: Former Florida Gov. Jeb Bush said Monday that as president, he would pressure Congress to reverse this summer’s legislation blocking the NSA from collecting phone and Internet records in bulk. Under the legislation, which President Barack Obama signed in June, the phone record collection program is set to expire at the end of this month. After Nov. 29, the NSA will have to make requests to companies to obtain the metadata. “I think that was a useful tool to keep us safe and to also protect civil liberties,” Bush said on MSNBC. “This is a time to reevaluate our policies as it relates to these threats.” http://bit.ly/1MisvRl

Fellow GOP presidential candidate Marco Rubio took aim at rivals Ted Cruz and Rand Paul on Monday for voting to block the metadata programs, saying they backed the "weakening" of U.S. intelligence capabilities: http://politi.co/1H5LQ9p

— TECH AND PRIVACY PUSHBACK: Privacy activists are battling the emerging Paris narrative blaming encryption for an apparent intelligence failure. “Encryption only thwarts interception,” tweeted Christopher Soghoian, principal technologist at the American Civil Liberties Union. “For high-value targets, such as known bad guys talking to ISIL, I'd expect govs to hack their phones.” Sony’s Playstation 4 unexpectedly landed in the spotlight as a reputed communication tool for the Paris terrorists (perhaps erroneously: http://bit.ly/1HU13Ft). The Japanese company promised to alert authorities if it became aware its network were being used for illegal purposes. More: http://cnb.cx/1YdwT9C

— JIHADIS GET MESSAGING APP ADVICE FROM DARK WEB: A jihadi dark web site that apparently went live last weekend and purports to be from ISIL’s media arm urges users to download the encrypted Telegram messaging app. The terror group uses the dark web because its media arm, dubbed Al-Hayat, routinely gets kicked off the wider web, said extremism researcher J.M. Berger. “The idea here is to host the site somewhere that it can't easily be suspended. They are still trying to get their regular domain back online, but they have had trouble keeping it up lately,” he told MC.

In 2008, terror supporters released an encrypted messaging application dubbed Mujahedeen Secrets 2 that’s earned some praise for its sophisticated encryption. The tool is “still around, but I never had the sense that it really caught on in a terrifically big way,” Berger said. The Al-Hayat dark web site also has an address for those with the Tor Browser. According to NBC, ISIL also has a 24-hour “help desk” to help jihadis encrypt their communications: http://nbcnews.to/1HQp3OX

— THE SNOWDEN BLAME GAME: Dave has the story about all the finger-pointing at former NSA contractor Edward Snowden. Read on: http://politico.pro/1l1zfKb

ANOTHER BRICK IN THE WALL— The Education Department is doing a poor job on everything from responding to cyberattacks to updating its software and hardware, but it’s especially bad at monitoring its computer networks for threats, according to an annual inspector general audit. Those networks house millions of records on students and their parents, but the department has a long list of recommendations it still hasn’t implemented, Inspector General Kathleen Tighe said in prepared testimony for the House Oversight and Government Reform Committee today. Danny Harris, department CIO, said in his written testimony that the department was adequate in five areas and was addressing its other shortcomings.

“While the data breaches at OPM should be a watershed moment for federal information security, that doesn’t seem to be the case,” Committee Chairman Jason Chaffetz will say in an opening statement. “The Department of Education serves tens of millions of students and parents, all of whom entrust the agency to protect their most personal and financial information. But the Department is showing bad behavior patterns reminiscent of those of OPM prior to its catastrophic breaches.” The hearing: http://1.usa.gov/1SqpGzc The IG audit: http://1.usa.gov/1PKXK9V

JUST IN SPACE— Attorney General Lynch will tout the Justice Department’s cyber achievements to the House Judiciary Committee at an oversight hearing today, telling the panel in written testimony that the department is “placing a particular emphasis on countering threats in cyberspace.” Justice has created a new unit within the Criminal Division’s Computer Crime and Intellectual Property Section and launched a new National Security Division initiative to improve information sharing on cyber threats with industry. Lynch’s testimony comes one day after the Justice Department inspector general singled out cybersecurity as one of the department’s biggest challenges and said coordination with the private sector is a particular weak point: http://1.usa.gov/1WWjRQA

In the wake of the Paris attacks, Lynch should prepare for a grilling on the administration’s policy toward ISIL — Judiciary Chairman Bob Goodlatte sounded angry in a statement Monday: http://1.usa.gov/1MxzYd2 Expect more encryption talk, too. The committee has jurisdiction over the Communications Assistance for Law Enforcement Act, which requires telecommunications carriers to develop systems allowing the government to intercept electronic communications. Law enforcement officials have complained that the 1994 law is too narrow for today’s Internet-based communications technologies. Hearing info: http://1.usa.gov/1Ls7CCS

PIVOT.NET — When President Barack Obama arrives in Asia today as part of his vaunted “pivot,” his message will include a cyber component. The White House issued a fact sheet Monday highlighting Obama’s cyber agenda in the region to date, such as boosting friendly nations’ ability to detect attacks and fend off cybercrime while still preserving a free and open Internet. Obama “will underscore the applicability of international law to cyberspace and the importance of the voluntary adoption of additional norms of responsible state behavior in peacetime, and the development of cyber confidence building measures” during his stops in the Philippines and Malaysia, the White House said.

CHIP AND PIN— Attorneys general from eight states and the District of Columbia wrote to top banks and credit card companies Monday urging them to shift as rapidly as possible to chip and PIN technology to secure credit and debit cards. As of Oct. 1, the liability for in-person fraud with a credit or debit card rests with whichever party to the transaction -- the retailer or card issuer -- hasn’t upgraded to chip-enabled cards that are significantly tougher to counterfeit than traditional cards. The liability shift doesn’t address whether those cards are verified with a customer signature or with a PIN.

“Unlike signatures, PIN numbers can be changed easily and as frequently as needed by the consumer,” the AGs state, adding that “absent this additional protection, your customers and our citizens will be more vulnerable to damaging data breaches. This is something we cannot accept, and nor should you.” Signatories: Connecticut, New York, Illinois, Maine, Massachusetts, Vermont, Rhode Island, Washington state and Washington, D.C. The letter: http://1.usa.gov/1WWA34j

CONTRACTORS URGE DOD TO DELAY CYBER RULE— A coalition of industry groups is urging the Defense Department to hold off on implementing a new interim rule requiring DoD contractors and subcontractors to report significant cyber incidents, saying “contractors are scrambling to understand the regulation, and its far-reaching impacts, on how a company or supplier protects its networks and data.” The rule was mandated by parts of the 2013 and 2015 National Defense Authorization Act.

The groups, including the U.S. Chamber of Commerce, the Aerospace Industries Association and the Information Technology Alliance for Public Sector, argue the interim rule “uses extremely broad and vague terms such as ‘potentially adverse’ and ‘may have occurred’ to set a compliance standard that do not help contractors and subcontractors to define how to meet their reporting obligations.” The letter: http://bit.ly/1NA7yzg More on the letter from ITAPS: http://bit.ly/1j45mY8 The interim rule: http://1.usa.gov/1UK9NDW

REPORT WATCH

— Information technology security pros around the world gave their organizations an overall “C” grade on their cyber defenses, according to a survey out today by Tenable Network Security. U.S. professionals gave their organizations an average of a “B-,” while Australians were the most pessimistic with a “D+.” http://bit.ly/1My9198

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.